Posts
EU Justice Minister Viviane Reding, has recently announced that she is formulating a policy that will mandate any business trading in the EU or who targets EU residents, to notify their customers, and the regulatory authorities, if they suffer a data breach. The intention being to ensure that all businesses handling sensitive data take their obligations seriously.
This action follows the recent spate of attacks on some high profile organisations, where millions of personal data records were subject to data hacks.
Following the introduction of the EU e-privacy directive on 26th May 2011, Telecoms, and Internet Service Providers are already subject to mandatory data breach disclosure, and the Minister is now seeking to widen these powers to include all sectors.
The legislation has the power to impose penalties and legal sanctions for any infringement and it is expected that these strong ’incentives‘, will encourage businesses to conduct serious risk assessments regarding their storage of sensitive personal data, and implement appropriate security measures to protect the confidentially and integrity of this information.
It should also be noted that the UK Information Commissioner has regulatory powers to investigate and penalise in cases of deliberate and persistent misconduct.
With all of the increasing media and regulatory interest in data security, how does a business go about protecting its’ key assets, particularly customer databases and avoid a data breach?
How can Sysnet Global Solutions help?Sysnet offers a Security Assessment service, which provides a unique and flexible approach encompassing Incident Response, Audit, Computer Forensics and Penetration testing.
The assessment will be tailored to the individual needs of the business, and can include reviews of encryption, wireless networking, portable device security, contingency plans, security awareness, system configuration and premises vulnerabilities.
If a business takes card payments, they will fall under the requirements of the Payments Card Industry – Data Security Standards (PCI-DSS) – However the Sysnet Security Assessment service goes into far more detail, so that the customer can feel confident that they are in control of their security position.Additionally Sysnet offer an on-demand, computer incident response service, whereby in the event of an incident, Sysnet can be on call ready to provide advice and visit the affected site to help contain the incident, offer guidance and if required, conduct a forensic investigation. This service is pre-arranged and also includes an initial visit to the site to help assist in highlighting security vulnerabilities, and offering remediation planning to overcome these weaknesses.
Whilst no business can be wholly safe from a data incident, by following the guidance given by the Sysnet CFS team, businesses can reduce their exposure to receiving such an attack, but also will be in a far better position to respond in a positive and speedy manner, to ensure continuance of trading and minimisation of brand and reputational damage.
Another key area is the storage of unencrypted card data - under PCI-DSS all card data should be securely deleted from computer systems, or if deemed necessary for operational requirements, then the information needs to be stored in a suitable encrypted format. In all too many cases, when a forensic investigation is undertaken following a data breach, card information is located in clear text.
This can be due to a number of circumstances, forgotten databases, legacy systems deemed out of scope for PCI accreditation, or back-up files converting encrypted information into readable format. Whatever the reason, storing unencrypted data will heighten the risk, and invalidate any PCI compliance certification.
To mitigate operating with such vulnerability, Sysnet are able to offer their Cardholder Data Discovery Service, which can scan server, PCs, and storage media for unencrypted card numbers. Once the scan has been completed, and if any residual information has been identified, we can safely erase the data, help prevent it from being stored or if preferred, give guidance as to how the records can be held securely to conform to the PCI-DSS.Sysnet bring the pragmatic mindset of a forensic investigator together with knowledge of real world hacking to give you the edge in security management. For more information please contact us by calling 0844 562 3147 (UK) or +353 (0)1 495 1300 (Rest of the World) or by completing our Online Enquiry Form or Request a Call Back Form
